My friend who lurks Reddit posts messaged me in the middle of the night with this absolutely bombshell. I work in tech and someone on the internet has managed to crack into Parler and begin downloading all of their content. They were able to do this because Twilio severed their ties to Parler. For those who are not tech savvy, Twilio helps keep track of a website’s users and passwords. It makes it so you can build your website faster rather than worry about boilerplate stuff like logging in and password recovery, etc. Well, since Twilio announced they were severing ties, hackers were able to create administrator accounts which gave them full privileges inside Parler. This means all the videos, posts, and other media people uploaded are available and currently being downloaded...including driver’s license photos.
You see, Parler billed itself as the far right alternative to Twitter and Facebook. It’s the brain child of the mega Trump donors: The Mercer’s. On Parler you can upload your driver’s license to prove you’re a citizen so you know you’re talking to real people and not random bots. It also has a nice nationalist ring to it. Also, they were going to keep your data secure, unlike the evil anti-free speech big tech.
And unlike Big Tech, they are AMATEURS with security.
There is also a security principle called “fail-open vs fail-closed” which you can read about here. I’m a developer, not a security expert, but as a developer, I understand this concept because when I write code I need to keep it in mind. When Twilio said “Hey, we’re not supporting your authentication anymore Parler because you aid and abet terrorism” that means that when you try to go to Parler and log in, there is nothing checking your password to see if you’re you. If I were the programmer, when you try to log in, and Twilio isn’t available for whatever reason, you would get an error saying “Hey, uh, I dunno what happened but Twilio isn’t responding. Get out.” I would close access to my system after this error. It’s logical because the maxim “unauthenticated users do not get permissions” would apply.
So that leaves the door WIDE OPEN. It was easy to create an administrator password, if not thousands of them to cover your tracks, and then you get access to the whole store. Another thing which also appalls me, is that there is a lot of PIFI (personal information) data that a would-be hacker has access to...and it doesn’t seem to be encrypted. See, when you build security you need to have fail-safes if in fact they do succeed in hacking you. I mean, 10 foot wall, 11 foot ladder applies in tech. If you break into my database, and you’re scrounging around for people’s social security numbers, then A) I’m not going to so easily label them as that and more importantly B) I’m going to encrypt them. This is “at rest” encryption, meaning when it is sitting in my database it is in encrypted form. So that column labeled “General_ID” (which may or may not be their SS #) will have a bunch of gobbledygook and it’ll take you a long time to figure out how to decrypt it. Have fun.
So I don’t think Parler encrypted their PIFI data or their image data with respect to licenses, or store it in a secure image bucket. I mean, this is one horrific security architecture failure after another. The bigger thing, however, is the fact that now all your neighbors violent posts about insurrection are being archived and associated with their identification. You cannot hide behind the anonymity of a username since the database keeps track of which user posts what. I mean for law enforcement this is huge, but for anyone tracking the far right this data would be a veritable gold mine.
Conservatives like to pretend liberals are bad at executing things, but then we get gems like this.
Also, in case you’re wondering, there’s a design choice between deleting data and having it go away forever, and deleting data but in reality you’re just “deactivating” it and it still sits on your servers. Parler chose the latter, so everything, I mean EVERYTHING, is up for grabs.
Been researching for independent verification and it is seeming more and more legit.
Correction from source on Twitter.